On 01/23/2015 06:01 PM, Stephen Harris wrote: > At work I'm used to tools like eTrust Access Control (aka SEOS). eTrust > takes away the ability to manage the eTrust config from root and puts it > in the hands of "security admin". So there's a good separation of duties; > security admin control the security ruleset, but are limited by the OS > permissions (so even if they granted themselves permission to modify > /etc/shadow, the standard OS permissions would block them) and system admins > control the OS (so they can be root, but can't override eTrust). > > Ideally this type of separation would be useful in the SELinux world > as well. OK, maybe this is a bit of an overkill for my own machines, > but then I do have bastion hosts and internal segmented networking at > home; I do overkill at times :-) > > The problem is that I can't see how to prevent this. There are too many > access points (not just the CLI tools but the pp files and the /sys tree > and I don't know what else). > > I do note that /etc/selinux has selinux_config_t and /sys/fs/selinux > has security_t so maybe a policy that deny's everyone except a new > security_admin_t permission to modify those files might work? > > Has anyone actually attempted this? > You would need to disable the unconfined.pp module and the unconfineduser.pp module and run all of your users as confined user including the admin user as sysadm_t. You could also set the secure_ booleans getsebool -a | grep secure_* secure_mode --> off secure_mode_insmod --> off secure_mode_policyload --> off